In the Claims: 



Please cancel claims 1-31, and please add claims 32-62, as shown below. 
1.-31. (Canceled) 

32. (New) A computer-implemented method, comprising: 

storing an access control specification identifying a target entity to which access 
is to be controlled at a directory server, wherein the access control 
specification includes an acceptability criterion for operations on the target 
entity, wherein the acceptability criterion specifies a set of one or more 
acceptable values for an attribute of the target entity; 

in response to a request for an operation on the target entity from a requester, 
determining whether the operation violates the acceptability criterion, 
wherein said determining comprises determining whether the operation 
modifies the attribute value to a value outside the set; 

in response to determining that the operation does not violate the acceptability 
criteria, performing the operation; and 

in response to determining that the operation violates the acceptability criteria, 
indicating that the request is denied. 

33. (New) The method as recited in claim 32, wherein the acceptability criterion 
includes a respective acceptable set for each attribute of a plurality of attributes, and an 
indication of whether it is necessary to determine the acceptability of each attribute in 
order to determine that the operation does not violate the acceptability criteria, or whether 
the acceptability of any one of the attributes is sufficient to determine that the operation 
does not violate the acceptability criterion. 
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34. (New) The method as recited in claim 32, wherein said determining whether 
the operation violates the acceptability criterion comprises: 

determining whether a value of the attribute prior to the request is within the 
acceptable set; and 

determining that the operation violates the acceptability criterion if a value of the 
attribute prior to the request is outside the acceptable set. 

35. (New) The method as recited in claim 32, wherein the attribute is a multi- 
valued attribute, and wherein, prior to the request, the attribute has a plurality of values, 
wherein said determining whether the operation violates the acceptability criterion further 
comprises: 

determining whether each of the plurality of values of the attribute prior to the 
request is within the acceptable set; and 

determining that the operation violates the acceptability criterion if at least one of 
the plurality of values prior to the request is outside the acceptable set. 

36. (New) The method as recited in claim 32, wherein the access control 
specification specifies a category of directory server operations to which the acceptability 
criterion is to be applied. 

37. (New) The method as recited in claim 36, wherein the category of directory 
server operations comprises at least one of: operations that create attribute values, 
operations that delete attribute values, operations that modify existing attribute values, 
and operations that search for attribute values. 
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38. (New) The method as recited in claim 36, wherein the access control 
specification specifies a plurality of categories of directory server operations and a 
respective acceptability criterion for each category of the plurality of categories. 



39. (New) The method as recited in claim 32, wherein the acceptability criterion 
is comprised within an access control instruction stored at the directory server. 

40. (New) The method as recited in claim 39, wherein the location of the 
acceptability criterion within the access control instruction is indicated by a keyword. 

41. (New) The method as recited in claim 32, further comprising: 

receiving input from an operator indicating the acceptability criterion; and 

validating the acceptability criterion, wherein said validating comprises: 

checking syntax of the input in accordance with a predefined syntax for 
specifying acceptability criteria; and 

validating the set of acceptable values specified in the input. 

42. (New) A system, comprising: 
a processor; and 

memory coupled to the processor, wherein the memory stores program 
instructions executable by the processor to: 

store an access control specification identifying a target entity to which 
access is to be controlled at a directory server, wherein the access 
control specification includes an acceptability criterion for 
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operations on the target entity, wherein the acceptability criterion 
specifies a set of one or more acceptable values for an attribute of 
the target entity; 

in response to a request for an operation on the target entity from a 
requester, determine whether the operation violates the 
acceptability criterion, wherein said determining comprises 
determining whether the operation modifies the attribute value to a 
value outside the set; 

in response to determining that the operation does not violate the 
acceptability criteria, perform the operation; and 

in response to determining that the operation violates the acceptability 
criteria, indicate that the request is denied. 

43. (New) The system as recited in claim 42, wherein the acceptability criterion 
includes a respective acceptable set for each attribute of a plurality of attributes, and an 
indication of whether it is necessary to determine the acceptability of each attribute in 
order to determine that the operation does not violate the acceptability criteria, or whether 
the acceptability of any one of the attributes is sufficient to determine that the operation 
does not violate the acceptability criterion. 

44. (New) The system as recited in claim 42, wherein said determining whether 
the operation violates the acceptability criterion comprises: 

determining whether a value of the attribute prior to the request is within the 
acceptable set; and 

determining that the operation violates the acceptability criterion if a value of the 
attribute prior to the request is outside the acceptable set. 
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45. (New) The system as recited in claim 42, wherein the attribute is a multi- 
valued attribute, and wherein, prior to the request, the attribute has a plurality of values, 
wherein said determining whether the operation violates the acceptability criterion further 
comprises: 

determining whether each of the plurality of values of the attribute prior to the 
request is within the acceptable set; and 

determining that the operation violates the acceptability criterion if at least one of 
the plurality of values prior to the request is outside the acceptable set. 

46. (New) The system as recited in claim 42, wherein the access control 
specification specifies a category of directory server operations to which the acceptability 
criterion is to be applied. 

47. (New) The method as recited in claim 46, wherein the category of directory 
server operations comprises at least one of: operations that create attribute values, 
operations that delete attribute values, operations that modify existing attribute values, 
and operations that search for attribute values. 

48. (New) The system as recited in claim 46, wherein the access control 
specification specifies a plurality of categories of directory server operations and a 
respective acceptability criterion for each category of the plurality of categories. 

49. (New) The system as recited in claim 42, wherein the acceptability criterion 
is comprised within an access control instruction stored at the directory server. 

50. (New) The system as recited in claim 49, wherein the location of the 
acceptability criterion within the access control instruction is indicated by a keyword. 
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51. (New) The system as recited in claim 42, wherein the instructions are further 
executable to: 

receive input from an operator indicating the acceptability criterion; and 

validate the acceptability criterion specified in the input, wherein said validating 
comprises: 

checking syntax of the input in accordance with a predefined syntax for 
specifying acceptability criteria; and 

validating the set of acceptable values specified in the input. 

52. (New) A tangible, computer-readable medium, comprising program 
instructions, wherein the instructions are computer-executable to: 

store an access control specification identifying a target entity to which access is 
to be controlled at a directory server, wherein the access control 
specification includes an acceptability criterion for operations on the target 
entity, wherein the acceptability criterion specifies a set of one or more 
acceptable values for an attribute of the target entity; 

in response to a request for an operation on the target entity from a requester, 
determine whether the operation violates the acceptability criterion, 
wherein said determining comprises determining whether the operation 
modifies the attribute value to a value outside the set; 

in response to determining that the operation does not violate the acceptability 
criteria, perform the operation; and 
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in response to determining that the operation violates the acceptability criteria, 
indicate that the request is denied. 

53. (New) The computer-readable medium as recited in claim 52, wherein the 
acceptability criterion includes a respective acceptable set for each attribute of a plurality 
of attributes, and an indication of whether it is necessary to determine the acceptability of 
each attribute in order to determine that the operation does not violate the acceptability 
criteria, or whether the acceptability of any one of the attributes is sufficient to determine 
that the operation does not violate the acceptability criterion. 

54. (New) The computer readable medium as recited in claim 52, wherein said 
determining whether the operation violates the acceptability criterion comprises: 

determining whether a value of the attribute prior to the request is within the 
acceptable set; and 

determining that the operation violates the acceptability criterion if a value of the 
attribute prior to the request is outside the acceptable set. 

55. (New) The computer readable medium as recited in claim 52, wherein the 
attribute is a multi-valued attribute, and wherein, prior to the request, the attribute has a 
plurality of values, wherein said determining whether the operation violates the 
acceptability criterion further comprises: 

determining whether each of the plurality of values of the attribute prior to the 
request is within the acceptable set; and 

determining that the operation violates the acceptability criterion if at least one of 
the plurality of values prior to the request is outside the acceptable set. 



10/010748 (5681-08000/P6369) 



8 



Meyertons, Hood, Kivlin, Kowert & Goetzei, P.C. 



56. (New) The computer readable medium as recited in claim 52, wherein the 
access control specification specifies a category of directory server operations to which 
the acceptability criterion is to be applied. 

57. (New) The computer-readable medium as recited in claim 56, wherein the 
category of directory server operations comprises at least one of: operations that create 
attribute values, operations that delete attribute values, operations that modify existing 
attribute values, and operations that search for attribute values. 

58. (New) The computer-readable medium as recited in claim 56, wherein the 
access control specification specifies a plurality of categories of directory server 
operations and a respective acceptability criterion for each category of the plurality of 
categories. 

59. (New) The computer-readable medium as recited in claim 52, wherein the 
acceptability criterion is comprised within an access control instruction stored at the 
directory server. 

60. (New) The computer-readable medium as recited in claim 59, wherein the 
location of the acceptability criterion within the access control instruction is indicated by 
a keyword. 

61. (New) The computer-readable medium as recited in claim 52, wherein the 
instructions are further executable to: 

receive input from an operator indicating the acceptability criterion; and 

validate the acceptability criterion specified in the input, wherein said validating 
comprises: 
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checking syntax of the input in accordance with a predefined syntax for 
specifying acceptability criteria; and 

validating the set of acceptable values specified in the input. 

62. (New) A directory server, comprising: 

a database storing directory entries representing a plurality of entities managed 
using the directory server; 

an access control instruction builder configured to receive as input from an 
operator an acceptability criterion for an access control instruction 
indicating, based on specified acceptable values of an attribute of a 
particular entity of the plurality of entities, whether a directory server 
operation is permissible on the particular entity; 

an access control processor configured to: 

in response to a request for the operation on the particular entity from a 
requester, determine whether the operation violates the 
acceptability criterion by setting the attribute to an unacceptable 
value; 

in response to determining that the operation does not violate the 
acceptability criteria, permit the operation to be performed; and 

in response to determining that the operation violates the acceptability 
criteria, disallow the operation. 
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